Security Headers (CSP) to protect from Clickjacking

What is Clickjacking? 

Clickjacking is a type of cyber attack where an unseen malicious link is placed over your website's user interface.
Clickjackers gain access to the code of the website usually by stealing your admin password from other web services. With access to your website, a click jacker inserts a script into your website without you knowing. This script tricks your users into clicking a button that might take them to a fake website controlled by the attacker, thus hijacking your visitors. 
On the fake website, your user can be led to believe that they are typing in the password to their email or bank account, but are instead typing into a field controlled by the attacker.

This is a serious security risk that is best managed by:
  • Reducing the people who have access to your website
  • always using a strong password
  • enabling 2-factor logins for your website.
  • Regularly reviewing and updating access to your website

Security Headers

Security Headers provide a layer of protection to help protect websites from Clickjacking.
A Security Header is a piece of code at the beginning of a webpage that restricts the loading of unauthorised external resources. By checking and restricting the resources allowed to load on your website, you help to protect your website from hackers and bots prying and injecting harmful code or content into your website.

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.


Setting up Security Headers on your Zest website

This security service is available to all Zest customers and takes approximately 2hrs to set up. Please Contact Zeald support to get an estimate to setup Security Headers on your website.

This includes the implementation and testing of the service to ensure that it is working well on your website.
When you set up your Security Header it is important that you configure a complete list of external resources required to make your website work. Some examples of these external resources include, Google Adwords tracking, Google Fonts used in the design, maybe a third-party live chat etc.
Each of these required external resources need to be authorised to ensure that they load on your website but any other unauthorised resources do not load.

We will test your website and check for any breakages potentially caused by these changes. If the change does cause issues, we will roll back the change and apply a fix.
There is a small risk that an external script, perhaps from a customisation, is used somewhere on your website that is difficult for our team to find.

There may be a Customisation required to get your website working with the Security Header, in which case we will let you know and provide you with a Time & Materials estimate before we continue further.

Keep in mind that in the future, you choose to add an external script in the future such as Livechat, you would need to contact Zeald support to "Authorise" the domain of the script to ensure that it loads and functions correctly on their website?